Page 33

2. The "MAIL FROM" identity could have additional information in
the localpart that cryptographically identifies the mail as
coming from an authorized source. In this case, such an SPF
record could be used:
"v=spf1 mx exists:%{l}._spf_verify.%{d} -all"

Then, a specialized DNS server can be set up to serve the
_spf_verify subdomain that validates the localpart. Although
this requires an extra DNS lookup, this happens only when the
E-Mail would otherwise be rejected as not coming from a known
good source.

Note that due to the 63-character limit for domain labels,
this approach only works reliably if the localpart signature
scheme is guaranteed either to only produce localparts with a
maximum of 63 characters or to gracefully handle truncated
localparts.

3. Similarly, a specialized DNS server could be set up that will
rate-limit the E-Mail coming from unexpected IP addresses.
"v=spf1 mx exists:%{ir}._spf_rate.%{d} -all"

同様に、予期しないIPアドレスから来る電子メールの率を制限するような、特殊なDNSサーバを設定できるだろう。

"v=spf1 mx exists:%{ir}._spf_rate.%{d} -all"

4. SPF allows the creation of per-user policies for special
cases. For example, the following SPF record and appropriate
wildcard DNS records can be used:
"v=spf1 mx redirect=%{l1r+}._at_.%{o}._spf.%{d}"

1. Forwarding services can solve the problem by rewriting the
"MAIL FROM" to be in their own domain. This means that mail
bounced from the external mailbox will have to be re-bounced
by the forwarding service. Various schemes to do this exist
though they vary widely in complexity and resource
requirements on the part of the forwarding service.

2. Several popular MTAs can be forced from "alias" semantics to
"mailing list" semantics by configuring an additional alias
with "owner-" prepended to the original alias name (e.g., an
alias of "friends: george@example.com, fred@example.org" would
need another alias of the form "owner-friends:localowner").